Removing the server.ssl.clientAuthentication setting (#10262)

Backports PR #10253 **Commit 1:** Removing the server.ssl.clientAuthentication setting * Original sha: 0b42c7d040 * Authored by kobelb <brandon.kobel@elastic.co> on 2017-02-08T21:41:21Z
2025-04-23 17:28:26 -04:00 · 2017-02-10 06:41:47 -05:00 · 2017-02-10 06:41:47 -05:00 · dd2b6f9fab
commit dd2b6f9fab
parent daddd3f05f
4 changed files with 0 additions and 57 deletions
--- a/docs/setup/settings.asciidoc
+++ b/docs/setup/settings.asciidoc
@ -37,8 +37,6 @@ startup. Your Kibana users still need to authenticate with Elasticsearch, which
 `server.ssl.certificate:` and `server.ssl.key:`:: Paths to the PEM-format SSL certificate and SSL key files, respectively.
 `server.ssl.keyPassphrase`:: The passphrase that will be used to decrypt the private key. This value is optional as the key may not be encrypted.
 `server.ssl.certificateAuthorities`:: List of paths to PEM encoded certificate files that should be trusted.
-`server.ssl.clientAuthentication`:: *Default: none* Controls Kibana's server behavior in regard to requesting a certificate from client connections. Valid values are `required`,
- and `none`. `required` forces a client to present a certificate, while `none` does not.
 `server.ssl.supportedProtocols`:: *Default: TLSv1, TLSv1.1, TLSv1.2*  Supported protocols with versions. Valid protocols: `TLSv1`, `TLSv1.1`, `TLSv1.2`
 `server.ssl.cipherSuites`:: *Default: ECDHE-RSA-AES128-GCM-SHA256, ECDHE-ECDSA-AES128-GCM-SHA256, ECDHE-RSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES256-GCM-SHA384, DHE-RSA-AES128-GCM-SHA256, ECDHE-RSA-AES128-SHA256, DHE-RSA-AES128-SHA256, ECDHE-RSA-AES256-SHA384, DHE-RSA-AES256-SHA384, ECDHE-RSA-AES256-SHA256, DHE-RSA-AES256-SHA256, HIGH,!aNULL, !eNULL, !EXPORT, !DES, !RC4, !MD5, !PSK, !SRP, !CAMELLIA*. Details on the format, and the valid options, are available via the [OpenSSL cipher list format documentation](https://www.openssl.org/docs/man1.0.2/apps/ciphers.html#CIPHER-LIST-FORMAT)
 `elasticsearch.ssl.cert:` and `elasticsearch.ssl.key:`:: Optional settings that provide the paths to the PEM-format SSL
--- a/src/server/config/tests/schema.js
+++ b/src/server/config/tests/schema.js
@ -119,39 +119,6 @@ describe('Config schema', function () {
        });
      });

-      describe('clientAuthentication', function () {
-        it ('defaults to \'none\'', function () {
-          const config = {};
-          const { error, value } = validate({});
-          expect(error).to.be(null);
-          expect(value).to.be.an(Object);
-          expect(value.server).to.be.an(Object);
-          expect(value.server.ssl).to.be.an(Object);
-          expect(value.server.ssl.clientAuthentication).to.be('none');
-        });
-
-        ['none', 'required'].forEach((option) => {
-          it(`allows ${option}`, function () {
-            const config = {};
-            set(config, 'server.ssl.clientAuthentication', option);
-            const { error } = validate(config);
-            expect(error).to.be(null);
-          });
-        });
-
-        ['bogus', 'somethingelse'].forEach((option) => {
-          it(`rejects ${option}`, function () {
-            const config = {};
-            set(config, 'server.ssl.clientAuthentication', option);
-            const { error } = validate(config);
-            expect(error).to.be.an(Object);
-            expect(error).to.have.property('details');
-            expect(error.details[0]).to.have.property('path', 'server.ssl.clientAuthentication');
-          });
-        });
-
-      });
-
      describe('certificateAuthorities', function () {
        it('allows array of string', function () {
          const config = {};
--- a/src/server/config/schema.js
+++ b/src/server/config/schema.js
@ -52,7 +52,6 @@ module.exports = () => Joi.object({
      }),
      keyPassphrase: Joi.string(),
      certificateAuthorities: Joi.array().single().items(Joi.string()),
-      clientAuthentication: Joi.string().valid('none', 'required').default('none'),
      supportedProtocols: Joi.array().items(Joi.string().valid('TLSv1', 'TLSv1.1', 'TLSv1.2')),
      cipherSuites: Joi.array().items(Joi.string()).default(cryptoConstants.defaultCoreCipherList.split(':'))
    }).default(),
--- a/src/server/http/setup_connection.js
+++ b/src/server/http/setup_connection.js
@ -4,23 +4,6 @@ import httpolyglot from '@elastic/httpolyglot';
 import { map } from 'lodash';
 import secureOptions from './secure_options';

-const getClientAuthenticationHttpOptions = (clientAuthentication) => {
-  switch (clientAuthentication) {
-    case 'none':
-      return {
-        requestCert: false,
-        rejectUnauthorized: false
-      };
-    case 'required':
-      return {
-        requestCert: true,
-        rejectUnauthorized: true
-      };
-    default:
-      throw new Error(`Unknown clientAuthentication option: ${clientAuthentication}`);
-  }
-};
-
 export default function (kbnServer, server, config) {
  // this mixin is used outside of the kbn server, so it MUST work without a full kbnServer object.
  kbnServer = null;
@ -50,8 +33,6 @@ export default function (kbnServer, server, config) {
    return;
  }

-  const { requestCert, rejectUnauthorized } = getClientAuthenticationHttpOptions(config.get('server.ssl.clientAuthentication'));
-
  server.connection({
    ...connectionOptions,
    tls: true,
@ -64,8 +45,6 @@ export default function (kbnServer, server, config) {
      ciphers: config.get('server.ssl.cipherSuites').join(':'),
      // We use the server's cipher order rather than the client's to prevent the BEAST attack
      honorCipherOrder: true,
-      requestCert,
-      rejectUnauthorized,
      secureOptions: secureOptions(config.get('server.ssl.supportedProtocols'))
    })
  });